Security efforts paying offSecurity efforts paying off

Posted on by admini

The Computer Security Institute’s survey of security professionals at nearly 500 companies found that damages related to cyberattacks declined, reaching about $290,000 per company versus $400,000 per company a year ago.

The report, conducted in cooperation with the FBI, also said respondents thought denial-of-service attacks outpaced intellectual property theft as the most costly type of information threat. Such a shift may indicate that companies are shoring up internal-network defenses, said Robert Richardson, editorial director for CSI and an author of the report. “If you get more effective in protecting what is inside your networks, then (attackers) have to resort to other things,” he said. “One thing you can resort to is denial-of-service attacks.”

Unlike thefts, which require an attacker to break into a system, DoS attacks typically involve an online miscreant sending a flood of data to a Web site to prevent others from accessing the site. This is the first time DoS attacks have topped the list of threats.

The survey, which measures responses mainly from information technology managers who work for companies that are CSI members, is considered an indicator of general trends but not a reliable measure of specific detail, said Richardson. “You have to be careful in general of results of this kind,” he said. “It highlights a lot of interesting things, but it also raises questions that can’t be answered by the data.”

Most companies kept security functions inside the company, with only 12 percent of those surveyed indicating they outsourced more than 20 percent of security procedures. Larger companies typically benefited from economies of scale and paid less per employee for security, the survey found. Companies with annual sales of more than $1 billion typically paid a little more than $100 per worker on security, while companies with revenue of less than $10 million spent an average of $500 per worker.

The survey also indicated that more companies are interested in computer security because of new government regulations. The financial, utility and telecommunications sectors believe that the Sarbanes-Oxley Act, which requires a company’s executives to be accountable for their financial statements, has resulted in management focusing on information security, Richardson said. This is the first year that the survey asked companies about the effect of the law.

More info: http://news.com.com/Survey%3A+Security+efforts+paying+off/2100-7355_3-5230787.html?tag=nefd.top

Read more

Shortage of computer security experts hampers agencies

Posted on by admini

“There is an incredibly shrinking pool of IT security professionals in government,” said Jack Johnson, chief security officer at the Homeland Security Department. Johnson is working on developing the Homeland Security Information Network, which he said would be at Defense Department “secret level” by year’s end. He also said Homeland Security is looking to redesign personnel security to prevent internal cyber attacks.

“The sharing amongst bad guys is growing,” he said at a SecureE-Biz.net conference. “The sharing amongst the good guys on procurement, technology and approach needs to grow at an equal or greater rate.

The president last year signed a law authorizing a significant increase in cyber-security R&D funding, but it was not requested in the fiscal 2005 White House budget proposal.

Thomas O’Keefe, deputy director of the Federal Aviation Administration office of information systems security, said more research and development, and more collaboration among researchers and industry, is needed on cybersecurity. The air-traffic network is completely separate from the Internet, as well as other aspects of the FAA network, making it impossible for viruses to spread from those sources, he said.

More info: http://www.govexec.com/dailyfed/0604/061004tdpm2.htm

Read more

Companies lack plans in case of terrorist attacks

Posted on by admini

A majority of security executives surveyed said their companies don’t have plans to cope with an unconventional terrorist attack, even though most believe that a terrorist attack of some kind is likely to occur in the coming months, according to the results of a poll released by CSO magazine today.

The survey of 476 chief security officers and senior security executives found that 60% believe that a terrorist attack is likely in Boston or New York, which are hosting the Democratic and Republican political conventions this summer, respectively. While 63% of CSOs said their companies have planned for conventional attacks such as bombings or hostage taking, 61% said they haven’t planned for unconventional attacks using chemical, biological or nuclear weapons, according to the magazine.

The online survey of CSO subscribers was conducted between April 27 and May 18, 2004, and has a 4.5% margin of error.

CSO subscribers were asked their opinions on a number of issues, including terrorism, politics, IT security policy and purchasing decisions.

While planning for unconventional terrorist attacks is rare, the CSOs reported much better preparation for threats such as cyberattacks, natural disasters and violent employees.

Ninety-four percent of those surveyed said they have contingency plans in place for natural disasters and 86% for cyberattacks. Eighty percent said their companies are prepared for attacks from violent employees or former employees. Indeed, the survey showed that companies are quick to slam the door on former employees.

Seventy-four percent of those surveyed block network access to e-mail and critical documents within one business day of employees being fired or leaving a company, and 81% block physical access within one business day.

The theft of intellectual property or other proprietary information is also a top concern of CSOs, with 91% saying that managing access to critical information and documents is either “extremely important” or “very important.”

More info: http://www.computerworld.com/securitytopics/security/story/0,10801,93741,00.html

Read more

Security Expected To Take A Larger Bite Out Of IT Budgets

Posted on by admini

Security spending takes up from 3 percent to 4 percent of IT budgets today, the Meta Group said in a report on calculating information-security spending.

A chief financial officer typically defines ROI as dollars spent balanced by additional revenue or accrued profit, but “security doesn’t generate revenue or improve profits in a predictable manner,” Meta analyst Chris Byrnes said.

The rate of spending is expected to be slower in Europe than in the U.S., with a 5 percent to 7 percent CAGR versus a 10 percent CAGR, Meta said.

The major reasons are the lower intensity of publicity regarding cyber-crime and compliance issues.

In the Asia-Pacific region, spending rates are expected to be similar to Europe in mature economies, such as Singapore, Japan, Australia, and South Korea.

Security spending in developing countries, such as Malaysia, Thailand, and Philippines, is only starting.

Within verticals, the more regulated industries and those that conduct a lot of electronic financial transactions over the public Internet are expected to continue spending more on security.

More info: http://www.techweb.com/wire/story/TWB20040607S0013

Read more

Immunize Your Servers Against Attack

Posted on by admini

Primary Response 2.2 is software you install on Windows NT, 2000, 2003, or Solaris servers. It “immunizes” your servers against undefined intrusions, the way the human body defends itself against biological viruses it’s never seen before, according to its developer, Sana Security.

The basic security features of Primary Response 2.1, the software’s previous version, have just been certified by ICSA Labs, an independent testing firm, according to a lab spokesperson. This is the first such certification given to a new kind of program known as host-based intrusion prevention systems or HIPS, according to Dr. Steven Hofmeyr, Sana’s founder and chief scientist.

A NIPS solution is typically a hardware appliance that’s plugged in between a company’s servers and the Internet. Such devices monitor network traffic and protect the servers from inappropriate packets, such as hacker attacks. NIPS, however, cannot protect applications that are running on individual PCs or defend against the behavior of insiders, which most intrusions are.

Host-based intrusion prevention systems, such as Primary Response, install on each server that you wish to protect. Installing a HIPS solution, unfortunately, doesn’t eliminate the need for companies to also purchase NIPS and client-based security software.

But corporations can save big bucks with HIPS by installing Microsoft patches only once every calendar quarter, instead of once a month or more, Hofmeyr says.

A Primary Response 2.2 installation consists of at least one “management server,” which lists for $6,500, and one “agent” per server you wish to protect.

More info: http://itmanagement.earthweb.com/columns/executive_tech/article.php/3364491

Read more

Cybersecurity: Too important to leave in private hands?

Posted on by admini

During a panel discussion about the possibility of government creating cybersecurity regulations, Press and Rich Mogull, a research director for Gartner Research, advocated government taking a more active role.

While others on the panel suggested the U.S. government could affect cybersecurity by using its huge purchasing power to influence companies, Press questioned why software vendors aren’t sued for selling products with security flaws. Without laws allowing software vendors to be sued, “you are rewarding people for selling broken products,” he added. Instead of software vendors being held responsible for cybersecurity problems, the buyers pay the bill, Press said. Instead of government regulations, software buyers should demand better products, he said. In all but the desktop market, where Microsoft dominates, competition over the past couple of years has helped improve software security, Pescatore added.

Fred Barnes, executive editor of the conservative Weekly Standard and cohost of Fox News’ Beltway Boys, asked the panel why more cybersecurity legislation hasn’t been considered in the U.S. Congress.

“There’s a fear of stifling innovation,” said Roger Cressey, president of Good Harbor Consulting LLC and former counterterrorism expert at the White House.

Fred Barnes, executive editor of the conservative Weekly Standard and cohost of Fox News’ Beltway Boys noted that some government and private cybersecurity experts have been warning of the possibility of a “digital Pearl Harbor,” a massive attack on U.S. IT assets, for several years. The threat cannot be overstated, answered Bob Dix, staff director for the technology and information policy subcommittee of the House Government Reform Committee. However, Dix said Monday he hopes the subcommittee’s efforts to raise awareness about cybersecurity will get company chief executives to take the issue seriously.

But Press suggested that the software industry should be proactive and work with Congress now to pass legislation the industry can live with.

More info: http://www.nwfusion.com/news/2004/0607cybertooi.html

Read more